From cfc788c360893e239f37833e73ba0ee5a434f572 Mon Sep 17 00:00:00 2001 From: Joe Testa Date: Tue, 17 Mar 2020 22:51:06 -0400 Subject: [PATCH] Now prints the curve name and key strength for ECC certificates. --- docker_test/expected_output/test_15.txt | 3 +++ docker_test/expected_output/test_18.txt | 3 +++ sslscan.c | 29 +++++++++++++++++++------ 3 files changed, 28 insertions(+), 7 deletions(-) diff --git a/docker_test/expected_output/test_15.txt b/docker_test/expected_output/test_15.txt index a807da3..d3d2c6c 100644 --- a/docker_test/expected_output/test_15.txt +++ b/docker_test/expected_output/test_15.txt @@ -67,6 +67,9 @@ TLSv1.2 ecdsa_secp521r1_sha512 SSL Certificate: Signature Algorithm: sha256WithRSAEncryption +ECC Curve Name: prime256v1 +ECC Key Strength: 128 + Subject: itspeanutbutterjellytime.com Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere Not valid before: Dec 22 19:01:56 2019 GMT diff --git a/docker_test/expected_output/test_18.txt b/docker_test/expected_output/test_18.txt index 3bed47b..442895c 100644 --- a/docker_test/expected_output/test_18.txt +++ b/docker_test/expected_output/test_18.txt @@ -39,6 +39,9 @@ TLSv1.2 ecdsa_sha1 SSL Certificate: Signature Algorithm: sha256WithRSAEncryption +ECC Curve Name: prime256v1 +ECC Key Strength: 128 + Subject: itspeanutbutterjellytime.com Issuer: /C=XX/ST=Nowhere in particular/L=Nowhere Not valid before: Dec 22 19:01:56 2019 GMT diff --git a/sslscan.c b/sslscan.c index dcbe609..0e7372c 100644 --- a/sslscan.c +++ b/sslscan.c @@ -95,6 +95,7 @@ #include #include #include +#include #include #include #include @@ -2030,14 +2031,28 @@ int checkCertificate(struct sslCheckOptions *options, const SSL_METHOD *sslMetho } break; case EVP_PKEY_EC: - if (EVP_PKEY_get1_EC_KEY(publicKey)) - { - // TODO - display key strength - printf_xml(" \n"); - /* EC_KEY_print(stdoutBIO, publicKey->pkey.ec, 6); */ - } - else { + EC_KEY *ec_key = EVP_PKEY_get1_EC_KEY(publicKey); + if (ec_key != NULL) + { + // We divide by two to get the symmetric key strength equivalent; this + // ensures consistency with the Server Key Exchange Group section. + int keyBits = EVP_PKEY_bits(publicKey) / 2; + const char *ec_group_name = OBJ_nid2sn(EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key))); + char *color = ""; + + + if (keyBits < 112) + color = COL_RED; + else if (keyBits < 128) + color = COL_YELLOW; + + printf("ECC Curve Name: %s\n", ec_group_name); + printf("ECC Key Strength: %s%d%s\n\n", color, keyBits, RESET); + printf_xml(" \n", ec_group_name, keyBits); + EC_KEY_free(ec_key); ec_key = NULL; + } + else printf(" EC Public Key: NULL\n"); } break;